Not just the "I'm a doctor..." mentality, it is characteristic of the whole healthcare system - if you aren't a _____ (fill in the blank with EMT, LPN, RN, PA, PhD, hospital admin) you don't know anything (in their minds).
I wonder if they even had an IT department, or if they did, if it was competent (and not composed of the relative of one of the high end staff members - some kid who "built his own computer so he knows what he is doing").
The ability of the doctor to access and alter network settings in

I've done IT work for many clinics here in Houston, and I've never ran into that mentality before. I suppose it depends on the circles you do work with. In my case, it was next to impossible to get anything approved when they're too busy to handle anything business related. Again, these were small clinics.

What they should be using is Bitlocker. It can be overly sensitive in that any major Windows Update, driver, and BIOS will flag for the recovery key at boot. You can back the key up to AD or have it stored

How would BitLocker help in this case? Just curious why you think it'd help when it is information that's being exposed on the Internet, on a server that is running, and attached to the Internet, and not stolen laptops.

At a company I worked for the CFO had used Bitlocker to encrypt his disk and didn't tell anyone. He was the only person in the company that had done this. We went through a major domain migration which failed and so the a new domain was created and everyone moved to it. Suddenly the CFO could not access his machine anymore and they could not recover anything.

I have done IT work in clinic environments and every doctor I have worked with usually started the conversation with, "I'm really stupid about computers.... could you help me with...." or something like that.

That was from a doc who was 30 something. The older they get, the more tech phobic they are.

My wife is a provider and we have a contest to see who has the most "arrogant ass" story. Or who is more arrogant: doctors or IT/Software developers/engineers.

The difference is technology people are typically arrogant about technology, what should be their area of expertise, whereas most of the arrogant ass doctors I've encountered are arrogant about everything. The technology guy isn't going to walk into the doctor's office and start telling him about how to do doctoring stuff. A great many people will tell tell technology people all about how to do their job.

In any field I usually take arrogance as a sign of incompetence. Typically smart people think they know less then they really do and stupid people usually think they know more. The caveat being perception of arrogance is somewhat relative also. Arrogant people usually perceive anyone who knows more about something then they do as arrogant. That being said though, there are definitely a lot of incompetent technology people, almost certainly a lot more then there are incompetent doctors.

I have probably forgotten more about IT than most even know. However, while I think I am competent in what I do, I do not know everything, nor is it really reasonable to do so. That is why specializations exist. Don't talk to the Network guy regarding your DB problems, or your DB guy about your Coding issues... Sure they may have some related experience and overlap, but likely won't be as knowledgeable as someone that does that as their core. Same with Doctors, they will all have a common background, but as

I'd say it's not. At least that's not true of a good many of the practitioners.

Not knowing "everything" is a sign of stupidity.

Only stupid people would think that. To know "everything" in the technology field is at least on par with knowing "everything" in the medical field. Only an idiot would think anyone could even remotely come anywhere near knowing "everything" in either field.

As far as tech hiring people are concerned, all of us are stupid - and bring in the H1-bs.

Hmmm...been working in this field for 25 years now and rarely have I encountered that. The few occasions I did it was quickly evident the persons involved were idiots. Being w

It most certainly was NOT an IT person at CERN who invented the HTT protocol. He was a practicing scientist. The 'IT" people were probably busy replacing ribbons and making sure the paper wasn't spilling off the tractor feed mechanisms.

Also, all you need to do to 'master a computer' is learn how to put together a clone using off-the-shelf parts and a phillips screwdriver. I remember how empowering it was to install Linux on a cheap clone box back in 1994, then build an 'internet' in my apartment by attaching surplus '386sx boxes on it with 3C503 cards and coax.

The biggest problem some IT people have is that they think the group of enamored people surrounding them who rely on them for help represent the whole world, and not the bubble the

This kind of arrogance comes from literally being the smartest person in the room most of the time and from talking to idiots all day - something doctors do all the time. don't blame the doctors, look at the patients...

Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT. I can't imagine them letting anyone have a friggin server with an outside connection. Especially a system as large as this.

The only way I can put this together is that Columbia is so large that they've lost control of their network to the point where any half bright person could just set up a server. I'm pretty sure that if the doc had said "I need a personal server to go thr

Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT.

A while ago some article around here mentioned a group of doctors who had privileges at a local hospital. The hospital required the medical group to agree to hospital IT policies, security audits and unannounced penetration tests in order to connect the group's computers to the hospital network.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

So, the physician wasn't completely clueless about computers, though perhaps HHS is being deliberately vague about his exact role.

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

The details are sparse, but it doesn't sound to me that the specific doctor was any more to blame than the IT people. It's hard to imagine how deactivating one machine would expose private information if that information were on properly secured systems in the first place. The scenario I'm can easily imagine is that the machines with private information were accessed with insecure protocols and all the doctor in question did was to plug them into a more public switch or router.

The answer is simple. Cloud based medical records and disallow local caching. A PC is disconnected, no problem. It scales and it allows you to consolidate security. I never understood why we trust IT staffs with medical record security. You really need a Dev Ops team for that.

Who +1 nurb432 for insightful? If you met any average doctor, most don't care to tell you they don't know anything about computers because they only want to focus on medicine. The ignorance in this post lol

don't look at me - I didn't set permissions [...] The receptionist got to have a long chat with the Sr. Partner spearheading the project about the use of the company PCs.

I would suggest the Sr. Partner was (like TFS and GP) blaming the wrong person. If your receptionist can delete your billing system, you are doing computers wrong and should probably just give up the whole technology thing.

We see the same attitude when companies threaten/injunct/sue academics who discuss technical flaws in security systems. As if showing that the security is lame caused the security to be lame.

You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

Wrong, you just have to have local Admin rights.

The proper way to remove a computer from the domain is to log in as a user with local admin rights and then enter a domain account with the rights to Add/Remove Computers. This removed the computer from the domain and deletes the computer account from the domain.

However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials. The domain part will fail, but the computer will be switched to workgroup mode on reboot. The difference is that there is now an orphaned computer account still listed in the domain. But the client is now no longer on the domain as far as it is concerned.

The reason why this is allowed is simply because a mechanism is needed to switch a computer from domain mode to workgroup mode if, for some reason, the domain is unavailable.

You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

Bloody autocorrect. That's what I get for typing posts using my phone.

Can't say that I've ever tried it on a system with local admin rights. Usually I don't set up my domains in such a manner, because users can't resist the fuzzy kitten videos that come with free....ahem...."screensavers".

My guess is that he or she was developing an app for fellow doctors, and was running a backend on a personally owned server for testing purposes. When app development was complete, the physician reconfigured this machine to work on other projects, but neglected to scrub it of HIPAA data, or access rights to this data.

The computer was then opened up to the outer world for another project that didn't involve patient data.-- google searched the machine, and found the data trove.

The advantage of being vague and obtuse probably glosses over several other specific HIPPA violations that would drag several other responsible higher ups into the mud and saved them another million dollars in fines.
That is why companies spend more on administrators than on IT./What we really need is to expand H1-b's. After all, they been telling us that for years and we just don't get it/
hmmm, why did i wait till the last sentence to add a sarcasm tag?

Let's ignore how the IT dept should have some kind of network traffic scans to see this stuff, how the heck does a non-admin do something like this? And I'm not attributing it to malice, I'm sure this guy "meant well" and in the process managed to screw everything up. Otherwise, I'm going with "scapegoats" for 1000, Alex.

Hospitals are slow about refreshing their IT hardware and the hospital in TFA involves physicians working for both New York Presbyterian and Columbia University Medical Center. I wouldn't be surprised that the only way the physician could get a newer laptop capable of running his software in a reasonable amount of time was to order one with his own money and have the IT staff configure it for him.

The article has the smell of bullshit coming from the IT department that was ultimately responsible. Instead of saying they mishandled off boarding the physicians computer, they gave the impression that the physician was directly responsible for the breach. If a medical physician can cause a website to appear on the hospital network and have that page accessible to the internet then I think its about time to clean house and the hospital seriously needs to find new IT staff.

The fact that the system allowed this to occur is the responsibility of the hospital. The advantage of this for us geeks is that we can point to it when discussing security with senior management; that sort of scale of fine does get their attention. OTOH if we don't make the effort to ensure our systems are secure, we deserve the kicking.

And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

Yup. Companies want to treat "bring your own device" as if it meant "pay for the company's device" and it isn't surprising that this causes problems. They should simply provision employees with devices if they want them to work remotely/etc.

BYOD was not driven by the companies, but by the employees - they wanted to use their own devices for work. You have it backwards. Now, there is no question that some companies are slow to upgrade their equipment, but that's a different issue.

They're the same issue. People wouldn't want to use their smartphones for work if the company just issued them smartphones that they actually want to use. Devices were selected almost entirely for the sake of the ease of administration, with little regard for usability.

Irrelevant. I.T failed in preventing him from doing it, and HR failed in letting the Dr. know exactly why this would be a bad idea. Drs. can afford their own private internet connection, there is no excuse for piggybacking on a medical care network so they can learn shit.

Agreed. I have never worked in a place (hospital or otherwise) where an end user could expose an internal service to the public.

HR failed

That pretty much sums up HR in general.

Drs. can afford their own private internet connection,

out of curiosity, how do you think this would work? A doctor is at the hospital, needs network access and.....has the phone company install a phone line in each of the wards she is rounding in? The "learning sh

There almost has to be more to this story than we're hearing, and I'd be interested in the details. Why dopes one have to "reconfigure" a server to disconnect a single, personally owned computer from a network? The doctors I know would pull the ethernet cable, pick up the computer and go home, without even thinking about the sever.

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

Clearly the [recital 2a] Googlebot and others were spidering patient data [hhs.gov] for some time, those 6,800 records would account for a lot of traffic. EVEN IF the queries were https encrypted or the URLs contained session hashes instead of data, logs would show web spiders accessing presumably 'internal use only' fu

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

You missed the part where the doctor is actually a developer and was essentially working in IT....

What's the point in having a "secure" HIPAA compliant network that anyone can connect any old computer to? If the admins had just locked out unauthorized MAC addresses this wouldn't have happened. It would have cost them less than 4.8 million to implement even at healthcare contractor rates.

"Sure, get the Head of Compliance to sign off this breach of security standards and I'll get right on it. Yes, he'll require you to sign a personal liability waiver allowing the hospital to recharge any fines it receives due to insecurities arising from your computer"

I hate bureaucracy but good corporate governance exists for a reason. "You can't do this" is seldom the right answer. "You can do this, here is how" is a great response to be able to give, and if the "how" is punitive, p

That's why you don't let Doctor Bashir play with the ship's phasers or the self-destruct sequence. There are other qualified high-rank officers to do that kind of work (when they're not mind-controlled by aliens or trapped in another plane of existence)

Having worked in IT and software development for a number of different health systems some common themes run true.

1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

2) Easy money. Money comes easy to these organizations. This plus...

3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doc

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like

Your arguments about malpractice risks and insurance for that are negligible.

In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves hav

If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

Are you a doctor? IT isn't paid by the doctors - they're paid by the HOSPITAL. Doctors and IT workers are just two classes of people working at the hospital to take care of the HOSPITAL's cusomters - the patients. There is a legal fiction designed to shield hospitals from liability/etc which also makes the patients the doctor's customer's as well, but if you subscribe to that fiction then the doctors aren't even legally associated with the IT department at all.

I work in an IT department for a for-profit corporation and while I certainly have internal clients, ultimately we all work for the corporation and are supposed to look after its interests. Usually making my clients happy is the best thing for the company, but when their personal interests do not coincide with what is best for the company, then it is time to escalate issues and let the executives earn their pay.

Nicely put. The doctors' customers are IT's customers because without them the doctors don't need IT.

Looking out for the interests of the doctors is impossible without understanding their own obligations and requirements around patients. Preventing a doctor from alienating his entire patient base through poor IT implementation sounds like a pretty reasonable IT contribution.

Are you a doctor? IT isn't paid by the doctors - they're paid by the HOSPITAL. Doctors and IT workers are just two classes of people working at the hospital to take care of the HOSPITAL's cusomters - the patients. There is a legal fiction designed to shield hospitals from liability/etc which also makes the patients the doctor's customer's as well, but if you subscribe to that fiction then the doctors aren't even legally associated with the IT department at all.

So, I get what you're saying about IT needs to look out for more than just its own needs.

However, hospital management isn't really a "customer" in most cases. If you're talking about the CEOs email account, then the CEO is a customer like anybody else. However, if you're talking about the CEO telling IT than nobody can start a project without approval, then the CEO isn't a customer - he's the manager.

Ultimately, internal divisions like "doctors," "IT," "HR," etc are all conveniences. Legally, there is a

However, hospital management isn't really a "customer" in most cases. If you're talking about the CEOs email account, then the CEO is a customer like anybody else. However, if you're talking about the CEO telling IT than nobody can start a project without approval, then the CEO isn't a customer - he's the manager.

Hospital management is always the IT's customer. They pay your department to perform services and protect the infrastructure. Everytime you perform work for any staff member, you are performing a s

Hospital management is always the IT's customer. They pay your department to perform services and protect the infrastructure. Everytime you perform work for any staff member, you are performing a service for (and on the behalf of) management.

Well, they're your customer in the same sense that your boss is your "customer." If you look at it from the standpoint that you personally are a business that sells your labor, then your boss is a customer, and so is some guy who bribes you to share your company's secrets with them. However, that really isn't a great way of defining the term in practice.

The customer-centric attitude is generally advisable when dealing with just about anybody. However, I prefer to use the term customer to refer to somebod

As an emergency physician and former IT engineer with Unix system administration background, I'll say that most of the important software and hardware choices are made by the IT department and C-level executives without any input by physicians what-so-ever. I'll reply to your points line by line:

> 1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are
> made by doctors and not the professionals who were hi

Thank you for giving your input as a physician. It is nice to hear from your perspective. I admit that I was unfairly categorizing all physicians into this category of being disrespectful to other professions. It is a real thing though but admittedly small in the grander scheme of the problems at play here.

IT departments in hospitals are rampant with nepotism, incompetence, and wastefullness. The heads of the security, network, and support divisions have no clue when it comes to support clinicians including physicians, nurses, LPNs, or any other staff that requires using the computer for any health related work.

I see this in health systems big and small. You recognize the problem too, but you didn't really address my theory as to why this is, easy money and low accountability. Why in your opinion do you bel

I see it as an issue of low accountability for the most part, having different IT areas budgeted and the need to spend that budget before the year is out or otherwise we won't get the same amount of money next year. That's the mentality that most organizations take with silo-ing of budgets but to me seems to be a waste.

In my organization, they have outsourced the servers and support for the EMR to the EMR manufacturer for them to host in the "cloud" while adding more Citrix redirections and latency for the

That's supposed to be why they take physics and chemistry in pre-med. That and keeping the memorizers out of medical school.

My dad taught a chemistry class for medical students track. Those professors where very conscious of their duty to keep morons from becoming doctors. A C did that. Some of these dweebs couldn't plug and chug formulas or balance a redox equation. Yet they had all already gotten As in high school chemistry. Great memorizers, hard workers, some just couldn't think. All _needed_ an A. T

"Hey, doc! I've done some first aid before. Mind if I treat your patient?""Hell no!""Why not?""Because I spent years obtaining an advanced degree, and have spent years since practicing and keeping my skills up to date.""Well, then, doc, for the exact same reason, KEEP YOUR HANDS OFF OF MY NETWORK".

Do you really think that a specialist degree and a decade of experience counts for nothing?

A doctor can get arsey about their extra work needed to get professional status but it still doesn't mean they can design a network inside-out. Shit, I've been working in IT for two decades and I sure as hell can't.

So the roleplay conversation to which you replied is valid, is useful and is relevant.

One branch of government profits from hospitals unintentionally misusing your private information, then another branch of government takes those profits to fund the intentional and illegal misuse of your private information.

In their education, professionals, whether physicians or IT admins, are often inculcated with a professional swagger to the effect that they assume superiority in any situation. It is wise not to trust the judgement of those who exhibit this characteristic. They are commonly blind to their own failings and dismissive to others' concerns. Sadly, many are most impressed by this phenomenon, which they misapprehend as, "confidence".

If, in a democracy, the government money isn't being spent as if it is the people's money, the people are doing something wrong. And the whole point of public law is that it imposes sanctions "in the public interest", not for the sake of the specific victim. (Sometimes this justifies stupidity, e.g. anti-marijuana law, but mostly it's why we have a civilisation and not a libertarian dystopia.)